When a multinational company experiences a massive security breach that affects hundreds of millions of people, don’t its users deserve to know?

Yahoo, the multinational digital company, announced last week that in 2014, a state-sponsored actor, or a hacker supported by a foreign government, hacked the account information of over 500 million users. The attack is one of the largest security breaches of an email provider.

Although Yahoo claims that it was not aware of the breach until this summer, it failed to notify the public of the potential massive security breach at the time. Given the large scale of users this could affect — Yahoo has about one billion monthly active users — the company’s late reaction further compromised millions of users’ personal data.

User information including names, email addresses, telephone numbers and security questions were hacked, meaning users will have to change their passwords and worry about their personal information being out in the open for an indefinite amount of time.

Yahoo could have communicated to its users about the hack sooner, but instead it chose to wait with little regard for people’s security.

The question on how a major company could allow a mistake like this to go unnoticed for so long should make us re-evaluate the digital laws we have in place and demand greater accountability and transparency for companies’ security practices.

Before sending out emails, Yahoo made the announcement on its Tumblr page, a social media platform that is not widely used to the extent of Yahoo’s email base. When users’ identities are at stake, Yahoo should be serious about informing the public of this large-scale hack.

The company blamed the attack on a “state-sponsored actor,” rather than taking responsibility for its actions and issuing an apology. The users deserve an explanation of how the company’s security checks and regulations missed this broad overreach.

The company discovered the breach by accident after investigating a Russian hacker in June who claimed to have stolen data from the email provider. While Yahoo could not verify these specific claims, officials discovered the massive breach shortly afterwards. If Yahoo had been checking the security systems consistently, a small incident wouldn’t have been necessary to reveal a major hacking scare.

But data notification laws make accountability almost impossible. Since laws vary by state, it is difficult to tackle these issues and hold companies accountable for threatening users’ cybersecurity.

In Pennsylvania, the Breach of Personal Information Notification Act requires any business organization to notify users of a breach of the security of a computerized data system “to any resident of this Commonwealth whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person.”

The phrase “reasonably believed” is open to interpretation on whether the company deems a hack worthy of disclosing to its users. The vague definition gives companies too much discretion to hide such information, rather than asserting that any potential threat should be communicated clearly.

Furthermore, the act states that any notice of a security breach must be made “without unreasonable delay.” Without giving a specific time frame, two years of having personal information breached could be justified by a company under this definition. The fact that companies can choose to withhold important information because the law doesn’t set a time limit makes public announcements happen long after they occurred.

When it comes to our personal information, we must create laws and security practices that protects consumers’ identities at all times. By putting in uniform laws across all states, we can ensure that companies are transparent when users’ information becomes compromised. If there were short and specific time frames of when companies have to tell users, those users wouldn’t have to wait two years for an update on the security of their personal information. A requirement for companies to notify users of any potential threat would keep users aware and updated of their personal data.

The laws should be clear and specific, leaving little room for errors and requiring strict policies to protect users’ security.

We can’t just blame the hacker, shrug our shoulders and cross our fingers that data breaches don’t happen anymore — let’s make the laws stronger and hold corporations accountable.